Method for processing messages in a communication network comprising a plurality of network nodes
A method for processing messages in a communication network, wherein messages are transmitted between network nodes of the communication network, which are each combined with test information that is verifiable to determine whether a corresponding message is admissible, where an admissible message leads to a positive test result and an inadmissible message leads to a negative test result. For at least one message that is provided for a respective network node, an action coupled to the message is performed from the respective network node in time a message is received in the respective network node without checking the test information combined with the message, wherein, upon execution of the action, the test information is verified by the respective network node and, when the test result is negative, at least one predefined measure is performed.
Latest Siemens Aktiengesellschaft Patents:
This is a U.S. national stage of application No. PCT/EP2011/064109 filed 16 Aug. 2011. Priority is claimed on German Application No. 10 2010 044 858.3 filed 9 Sep. 2010, the content of which is incorporated herein by reference in its entirety.
BACKGROUND OF THE INVENTION1. Field of the Invention
The invention relates to a method for processing messages in a communication network comprising a plurality of network nodes, and to a corresponding communication network and a corresponding network node.
2. Description of the Related Art
It is known to provide test information for messages transmitted in a communication network. For example, by means of a CRC (cyclic redundancy check) it is possible to determine whether the data of a message has been changed during transmission as a result of transmission errors. It is also known to provide cryptographic checksums for messages, where is it possible for these checksums to be generated using a hidden input. By this means, it can be ensured that only the message which possesses the cryptographic hidden input can generate a verifiable checksum. By this means, it is possible to counteract the unauthorized transmission of messages in a communication network. By means of the cryptographic checksums, it is also possible to determine whether unauthorized manipulation of the message by an attacker has occurred.
Although the use of test information during the transmission of messages in a communication network enables effective protection against attacks, it has the disadvantage that, in order to verify the test information, it is normally necessary to perform time-consuming cryptographic operations that delay the continuing processing of the message. This is of relevance in communication networks for automation systems in particular, in which commands, or control instructions, are given to networked devices of the automation system via the messages. These commands are often time-critical, i.e., they may only be executed with a slight delay, as otherwise malfunctions in the operation of the automation system can occur.
A method for reversing a configuration change coupled to proof of authorization and executed in a control device is described in the published document DE 10 2007 040 094 B4. This method enables the configuration change to be reversed if the authorization message is subsequently countermanded.
A method for processing messages in a message processing device, where a priority with regard to the security check of the corresponding message is defined based on the content of that message, is described in the published document DE 10 2007 053 255 A1.
SUMMARY OF THE INVENTIONIt is an object of the invention to provide a method for processing messages in a communication network in which the respective messages are protected by test information and yet are still processed rapidly in the communication network.
This and other objects and advantages are achieved in accordance with the invention by a method, a communication network and network nodes wherein the communication network is preferably the communication network of an automation system, which serves to process messages in a communication network consisting of several network nodes. In this use scenario, the individual network nodes constitute components of the automation system which, during operation of the system, perform functions within the process automated by the system. In such cases, the network nodes constitute, in particular, control devices, sensors, actors, interconnected switches (e.g., Ethernet switches) and suchlike. The automation system in such cases can be a system for the automation of processes or for the automation of production. The automation system can also be a system for the automation of buildings or the automation of energy.
In a step a) of the method according to the invention, messages are transmitted between network nodes of the communication network that are each combined with test information which can be verified to determine whether the corresponding message is admissible. In such cases, a message is then admissible if it leads to a positive test result. If it does not, the message is classed as inadmissible. The concept of admissibility should be'understood in the broad sense and can be coupled to any desired criteria that can be suitably defined. For example, a message can be admissible if it can be positively verified based on test information in the form of a checksum, or if proof of authorization (e.g., a certificate) that is coupled to the message can be successfully verified.
The method according to the invention is characterized in that in a step b), for one or more messages out of a quantity of messages that are provided, or intended, for a respective network node of at least a portion of the network nodes, an action coupled to the message is performed from the respective network node, each time that a message is received in the respective network node, without checking the test information that is combined with the message, where, upon execution of the action, the test information is verified by the respective network node and, when the test result is negative, one or more predefined measures are performed. A message is thus linked with a predefined action, with the concept of action being understood in the broad sense here, and in particular comprising an individual action step or a series of several action steps. In a preferred embodiment, the message constitutes a corresponding command that can be executed by the respective network node. If the method according to the invention is used in a communication network of an automation system the messages are preferably commands comprising control instructions for the execution of steps executed by the automation system.
Identification of the above features as step a) and step b) is only for the purpose of simplifying reference to them and is not intended to indicate the order in which the steps are to be executed.
The method according to the invention is based on the idea that most messages transmitted in a communication network are admissible and lead to a positive test result when the test information is verified. As a result, the actions coupled to the messages are provisionally rapidly executed without verification of the test information, but with appropriate measures being defined in the event that the message turns out to be inadmissible upon execution of the action. These measures serve in particular to protect the communication network from inadmissible messages. In the simplest of cases, a measure can constitute the issuing of a warning message so that a user of the communication network is made aware of inadmissible messages and can initiate appropriate further steps.
In a particularly preferred embodiment, the test information that is combined with a corresponding message comprises an appropriate checksum, which is generated taking account of the message, it being possible, when the checksum is verified, to ascertain whether the message has been changed, and for a changed message to constitute an inadmissible message. The checksum here can, for example, be a CRC checksum with which it is possible to establish the integrity of the message. The checksum is preferably a cryptographic checksum, such cryptographic checksum being generated using a cryptographic hidden input, i.e., using a symmetrical and/or asymmetrical cryptographic method. Any desired methods known from the prior art can be used to generate such checksums, in particular those based on cryptographic hash functions such as SHA-1, MD5, HMAC-SHA1, HMAC-MDS and AES-CBC-MAC. It is also possible to generate the checksum based on signatures with suitable signature algorithms, such as RSA, DSA or EC-DSA.
Where applicable, the test information can also comprise proof of authorization, i.e., in the form of a certificate, by which it can be checked whether the message has been transmitted by an authorized party. The message is then an admissible message if the proof of authorization can be successfully verified when the test information is checked. Unlike with the above checksums, the proof of authorization can be generated without taking account of the data contained in the message.
In a further particularly preferred embodiment of the method according to the invention, restore information is stored in the particular network node via which the action performed in step b) can be reversed. The restore information can, for example, be derived from the message when the action coupled to the message is performed. It is also possible for the restore information to be contained in the message already. In the event of a negative test result in step b), the restore information serves to reverse the action coupled to the message, with this reversal constituting an embodiment of a predefined measure that is performed in the event of a negative test result.
When the method is used in a communication network of an automation system the predefined measure or measures comprise, in particular, an emergency stop, and/or the operation in emergency mode, of one or more components of the automation system.
Step b) of the method according to the invention can, where applicable, be performed in all cases, i.e., upon receipt of every message in the respective network node for which the message is provided. It is, however, also possible for step b) to be performed only for messages that fulfill one or more criteria, with the test information of any messages which do not fulfill the criterion or criteria being checked first and the action coupled to any such messages subsequently being performed only if the test result is positive. It is thus possible to determine, in a manner appropriate to the respective use case, for which messages the action coupled to them should provisionally be performed without verification of the test information. In a preferred embodiment, the messages are classed as time-critical or not time-critical, with a criterion to be fulfilled by a message being that the message is critical. This means that if the action coupled to the message is classed as time-critical and to be performed rapidly, the message is classed as time-critical and is further processed without verification of the test information.
When the method according to the invention is used in a communication network of an automation system the messages can also be classed as critical to the operation of the automation system or not critical to the operation of the automation system. In particular, a message is critical here if the action coupled to it is capable of leading to major damage to the automation system or to prolonged downtime of the automation system. In such cases, a criterion to be fulfilled by the message is that it is not critical to the operation of the automation system, i.e., the actions coupled to messages that are not critical are performed immediately, without verification of the test information, whereas critical messages are only further processed after positive verification of the test information.
In a further embodiment of the method according to the invention, a criterion to be fulfilled by a message of which the action coupled to it changes one or more parameters in corresponding network nodes is that the change in at least one of the parameters is less than a predefined amount, or is not above the predefined amount. This means that if the parameters only change slightly the message is provisionally processed further, and the action coupled to it is performed without taking account of the test information. It is assumed here that parameters in a corresponding network node only move within a certain value range during normal operation. It is therefore highly probable that messages with parameter changes within this value range have not been manipulated, so the actions coupled to such messages can provisionally be performed without verification of the test information.
The embodiment just described of the method according to the invention is also preferably implemented in a communication network of an automation system. The parameter or parameters here are one or more correcting variables that can be changed in the respective network node and relate to a process executed by the automation system, such as flow rates of liquids or gases, valve settings, motor speeds or pressures.
In a further embodiment of the method according to the invention, one criterion to be fulfilled by the message, as a result of which the action coupled to the message is performed without the test information being verified, is that an identical or similar message was received in the respective network node within a predefined period of time in the past and executed on the basis of step b), with the verification of the test information of this identical or similar message having also led to a positive test result. In the presently contemplated embodiment, the benefit derives from the knowledge that the parameters in consecutive messages in certain use scenarios, for example, in a communication network of an automation system, normally change only slowly, so a slight change in the parameters of the message indicates a message that has not been changed or manipulated and which can be processed first, without verification of the test information. The criteria when a message is classed as similar to another message can then be determined in a manner appropriate to the use case. For example, a message can be classed as similar to an earlier message if the message parameters have changed by no more than 5%.
In addition to the method described above, the invention also comprises a communication network with a multiplicity of network nodes, it being possible for the network nodes to be configured such that the method according to the invention, or one or more embodiments of the method according to the invention, can be implemented in the communication network.
The invention also relates to a network node for use in such a communication network, the network node being configured such that, when in operation in the communication network according to the invention, the network node performs the action coupled to one or more messages out of a quantity of messages that are provided for it, each time that a message is received and without checking the test information combined with the message, where also it is possible for the network node to verify the test information after the action has been performed and, in the event of a negative test result, either to initiate the implementation of one or more predefined measures or to perform them itself.
Other objects and features of the present invention will become apparent from the following detailed description considered in conjunction with the accompanying drawings. It is to be understood, however, that the drawings are designed solely for purposes of illustration and not as a definition of the limits of the invention, for which reference should be made to the appended claims. It should be further understood that the drawings are not necessarily drawn to scale and that, unless otherwise indicated, they are merely intended to conceptually illustrate the structures and procedures described herein.
Exemplary embodiments of the invention are described in detail below with the aid of the attached figures, in which:
The method according to the invention is described below in relation to communication networks in automation systems in which the individual network nodes are components of the automation system that can communicate with one another via a corresponding network.
When the system is in operation, messages in the form of commands are exchanged between the network nodes, or devices, and by way of example such a command is designated by the reference sign CO in
Symmetrical or asymmetrical methods for generating the checksum can be used. In symmetrical methods, the same secret key is available to the control device N1 and the controlled device N2. The checksum in such cases has been generated using the command CO and the secret key, and can be verified in the controlled device N2 using with the secret key. It is also possible for an asymmetrical method to be used, in which the checksum is generated in the control device N1 using a private key and is verified in the controlled device using a public key. It is possible to detect manipulations in the commands CO using the cryptographic checksums described above, as the command itself is used in the generation and verification of the checksum, so that when the command changes the checksum can no longer be positively verified. In addition, an attacker without knowledge of the appropriate (private) key is unable to calculate valid cryptographic checksums and thus cannot feed commands into the network.
With the cryptographic checksums described above efficient protection of communication within an automation system is assured. It has, however, proved to be disadvantageous that cryptographic operations involving time-consuming calculations, which can cause considerable delays in the operation of the automation system, are required to verify the checksum. These delays are no longer acceptable for certain particularly time-critical commands. In order to avoid such delays, in the embodiments described below the execution of certain predefined commands is initiated by the respective network node as soon as it receives such commands, without verification of the checksum. The checksum is only verified subsequently and, in the event of a negative test result, appropriate countermeasures are carried out, with the command that was executed preferably being reversed. This is achieved using appropriate restore or rollback information that is stored in the network node when the appropriate command is executed.
In the process represented in
The start of the method is designated by step S1. In step S2 a control instruction is received by a corresponding network node, with the network node deriving and storing rollback information from the control instruction in step S3. On the basis of this rollback information, it is possible to reverse an executed control instruction. The rollback information can, where appropriate, also be encoded directly in the control instruction. The control instruction is then executed in step S4; for example, the speed of a motor is changed or corresponding valves opened or shut. Only after the control instruction has been executed is the cryptographic checksum of the control instruction verified, in step S5. In step S6 it is determined whether the checksum is valid or not. If the checksum is valid (branch Y from step S6) the rollback information stored previously in step S3 is deleted in step S7 and the method is completed in step S8. If, on the other hand, the cryptographic checksum is not valid (branch N from step S6) the control instruction is reversed in step S9 on the basis of the rollback information, so that the status of the respective network node before the control instruction was executed is restored. The control instruction is then deleted, again in step S7, and the method is completed in step S8.
With the embodiment of the method represented in
The start of the method in
If in the above step S103 it is found that the control instruction is an instruction that is only to be executed after the cryptographic checksum has been positively verified (branch N from S103), the cryptographic checksum is verified first, in step S111. If in step S112 it is then found that the checksum is valid (branch Y from step S112) the control instruction is executed in step S113 and the method then completed in step S109. If, on the other hand, it is found in step S112 that the cryptographic checksum is invalid (branch N from step S112), the control instruction is rejected in step S114 and the method then completed in step S109.
The embodiments described above of the method according to the invention have several advantages. In particular, at least some control instructions that are not critical to the operation of an automation system can be executed without the additional delay caused by verification of a cryptographic checksum. As a result, delays are avoided, and any undesired effects are limited to the time that elapses before the cryptographic checksum is verified. In this way, downtimes during the performance of normal functions are reduced, allowing better general behavior of the system to be achieved with regard to stability and control dynamics.
While there have been shown, described, and pointed out fundamental novel features of the invention as applied to a preferred embodiment thereof, it will be understood that various omissions and substitutions and changes in the form and details of the methods described and the devices illustrated, and in their operation, may be made by those skilled in the art without departing from the spirit of the invention. For example, it is expressly intended that all combinations of those elements and/or method steps which perform substantially the same function in substantially the same way to achieve the same results are within the scope of the invention. Moreover, it should be recognized that structures and/or elements and/or method steps shown and/or described in connection with any disclosed form or embodiment of the invention may be incorporated in any other disclosed or described or suggested form or embodiment as a general matter of design choice. It is the intention, therefore, to be limited only as indicated by the scope of the claims appended hereto.
Claims
1. A method for processing messages in a communication network of an automation system comprising a plurality of network nodes, the method comprising the steps of:
- transmitting messages between network nodes of the plurality of network nodes of the communication network of the automation system which are each combined with test information which is verifiable to determine whether a corresponding message is admissible, an admissible message leading to a positive test result and an inadmissible message leading to a negative test result; and
- performing an action coupled to the message without verification of the test information from the respective network node that is combined with the message for at least one message out of a quantity of messages which are provided for a respective network node of the plurality of network nodes, of at least a portion of the plurality of network nodes, in each case when a message is received in the respective network node of the plurality of network nodes, the test information being verified by the respective network node of the plurality of network nodes upon execution of the action and at least one predefined measure is performed when the test result is negative.
2. The method as claimed in claim 1, wherein at least some of the messages are control instructions for execution of steps by corresponding network nodes of the plurality of the network nodes during a process executed by the automation system.
3. The method as claimed in claim 2, wherein the test information comprises a checksum which is generated based on the message; wherein, when the checksum is verified, it is possible to determine whether the message has been changed; and
- wherein a changed message is an inadmissible message.
4. The method as claimed in claim 1, wherein the test information comprises a checksum which is generated based on the message; wherein, when the checksum is verified, it is possible to determine whether the message has been changed; and
- wherein a changed message is an inadmissible message.
5. The method as claimed in claim 4, wherein the checksum is at least one of a CRC checksum and a cryptographic checksum; and wherein the cryptographic checksum is generated using a cryptographic hidden input.
6. The method as claimed in claim 5, wherein the cryptographic hidden input is at least one of a symmetrical and asymmetrical cryptographic method.
7. The method as claimed in claim 1, wherein the test information comprises proof of authorization, in particular a certificate; and wherein the message is an admissible message if the proof of authorization can be positively verified when the test information is verified.
8. The method as claimed in claim 7, wherein the proof of authorization comprises a certificate.
9. The method as claimed in claim 1, wherein restore information is stored in a particular network node of the plurality of network nodes via which the action performed during said step of performing the action is reversible; and wherein the at least one predefined measure in an event of a negative test result in said step of performing the action comprises a reversal of the action performed based on restore information.
10. The method as claimed in claim 1, wherein the at least one predefined measure in an event of a negative test result in said step of performing the action comprises a warning message.
11. The method as claimed in claim 1, wherein the at least one predefined measure comprises at least one of an emergency stop and operation in an emergency mode of at least one component of the automation system.
12. The method as claimed in claim 1, wherein said step of performing the action is performed for messages that fulfill at least one criteria; and wherein, for messages which do not fulfill the at least one criteria the test information of the message is initially checked and an action coupled to the message is then only performed in an event of a positive test result.
13. The method as claimed in claim 12, wherein the messages are classed as time-critical or not time-critical; wherein a criterion to be fulfilled by a message is that the message is time-critical.
14. The method as claimed in claim 13, wherein the messages are classed as critical to operation of the automation system or not critical to the operation of the automation system; and wherein a criterion to be fulfilled by the message is that the message is not critical to the operation of the automation system.
15. The method as claimed in claim 12, wherein the messages are classed as critical to operation of the automation system or not critical to the operation of the automation system; and wherein a criterion to be fulfilled by the message is that the message is not critical to the operation of the automation system.
16. The method as claimed in claim 12, wherein for a message of which an action coupled to the message changes at least one parameter in the respective network node of the plurality of network nodes, a criterion to be fulfilled is that one of a change in at least one of the parameters is less than a predefined amount and the change in at least one of the parameters is not above the predefined amount.
17. The method as claimed in claim 16, wherein the at least one parameter is at least one correcting variable which is changeable in the respective network node of the plurality of network nodes and relates to a process executed by the automation system.
18. The method as claimed in claim 12, wherein a criterion to be fulfilled by the message is that an identical or similar message was received in the respective network node of the plurality of network nodes within a predefined period in the past and was processed based on said step of performing the action; and wherein the verification of the test information of the identical or similar message also led to a positive test result.
19. A communication network of an automation system comprising a plurality of network nodes, wherein each of the plurality of network nodes of the communication network is configured to:
- transmit messages between network nodes of the plurality of network nodes of the communication network of the automation system which are each combined with test information which is verifiable to determine whether a corresponding message is admissible, an admissible message leading to a positive test result and an inadmissible message leading to a negative test result; and
- perform an action coupled to the message without verification of the test information from the respective network node that is combined with the message for at least one message out of a quantity of messages which are provided for a respective network node of the plurality of network nodes, of at least a portion of the plurality of network nodes, in each case when a message is received in the respective network node of the plurality of network nodes, the test information being verified by the respective network node of the plurality of network nodes upon execution of the action and at least one predefined measure is performed when the test result is negative.
20. The communication network as claimed in claim 19, wherein the communication network of the automation system is configured such that at least some of the messages are control instructions for execution of steps by corresponding network nodes of the plurality of the network nodes during a process executed by the automation system.
21. A network node for implementation in a communication network of an automation system comprising a plurality of network nodes, wherein each network node of the plurality of network nodes is configured such that, when in operation in the communication network of the automation system, each network node performs an action coupled to at least one message out of a plurality of messages that are provided for each respective network node, in each case when a message is received, without checking the test information combined with the message; and wherein each network node verifies the test information after the action has been performed and, in an event of a negative test result, initiates implementation of at least one predefined measure.
5568380 | October 22, 1996 | Brodnax et al. |
6772334 | August 3, 2004 | Glawitsch |
7353394 | April 1, 2008 | Marmigere et al. |
7458095 | November 25, 2008 | Forsberg |
8356178 | January 15, 2013 | Hars |
20020010874 | January 24, 2002 | Barthel |
20030076847 | April 24, 2003 | Chu |
20050160052 | July 21, 2005 | Schneider et al. |
20070192863 | August 16, 2007 | Kapoor et al. |
20090133121 | May 21, 2009 | Falk et al. |
20100161958 | June 24, 2010 | Cho et al. |
1536914 | October 2004 | CN |
102007040094 | February 2009 | DE |
102007053255 | May 2009 | DE |
102008009691 | August 2009 | DE |
10 2007 040 094 | February 2010 | DE |
1615370 | January 2006 | EP |
100749846 | August 2007 | KR |
Type: Grant
Filed: Aug 16, 2011
Date of Patent: Apr 28, 2015
Patent Publication Number: 20130167234
Assignee: Siemens Aktiengesellschaft (Munich)
Inventors: Rainer Falk (Poing), Steffen Fries (Baldham)
Primary Examiner: Teshome Hailu
Application Number: 13/821,467
International Classification: G06F 11/00 (20060101); H04L 29/06 (20060101); G06F 21/64 (20130101); H04L 1/24 (20060101); H04L 9/32 (20060101);